Understanding the new Cookie regulations

24.04.2012

On 26th May 2012, the regulations governing the use of cookies on websites are changing. If you know all about cookies, you may already be aware and geared up for the changes. However, if you’re in the majority who don’t know a web cookie from a chocolate chip, you’re likely to find the whole thing slightly baffling.

What are cookies?

Essentially, a cookie is a piece of data stored by a website within a browser. It’s designed to remember things that a user has looked at and provide a long term browsing history such as remembering the items you have in your basket when shopping online.

Why do people worry about them?

Cookies are controversial because they take information from website visitors without their knowledge. The main arguments are around whether this is done for the benefit of the website visitor or the website owner.

What are the benefits of cookies?

Cookies can be very useful for both website visitors and site owners. They are essential for making a consumer’s browsing a more straightforward experience. However, some are used to monitor users’ habits without their consent, creating a profile which can be used to target individuals with tailored products. And that is seen by many as a breach of their privacy. Some, such as session cookies, are crucial for internet shopping as they monitor what’s in people’s baskets. They are neither long term nor intrusive. Others, like persistent cookies, store information between sessions, which is subsequently often used for targeted cross site advertising. For example if you view a YouTube video on a website the next time you visit YouTube they may suggest similar videos based on your previous viewing. Cookies are also used as part of Google Analytics, a tool which helps assess performance of a website.

Why are things changing?

The Information Commissioners Office (ICO) has been prompted to make the new rules in light of the online tracking of individuals and the use of spyware. It is hoped that the revisions will protect privacy of internet users. The intention is that these changes are primarily aimed at people who exploit cookies. The ICO doesn’t want to eradicate their use entirely; it just doesn’t want them to be used without people’s knowledge or agreement.

So how bad are my cookies…?

Each cookie used on your website will fall under one or two of the following categories:

1. Zero Intrusive CookiesSite navigation User sessions Basket contents These are cookies that make your site work. They fall under the ‘strictly necessary’ exemption for consent in the regulations.

2. Low Intrusiveness Cookies Analytics cookiesText size Colour preferences These are designed to enhance the user experience or measure site performance. They are classed as 1st Party cookies and can only remain active for less than 30 days otherwise they are deemed as…

3. Medium Intrusiveness Cookies

Website personalisation

Facebook like buttons

These store more personal identifiable information and may cross site track. This would also include third party cookies that enable certain types of plug-ins and widgets to be added to a site to enhance user functionality.

4. High Intrusiveness Cookies

Online advertising

Google maps

YouTube Videos

A vast majority of 3rd party cookies fall into this category. They are intended to track and record visitors interests, without any prior consent:

How will this affect my website?

The changes will involve some initial effort on your behalf, but once consumer understanding improves things will become more straightforward for everyone involved.

Whether you were previously aware of cookies or not, now is the time to implement a cookies policy for your website. After the 26th the ICO will be in a position to start taking action against organisations which haven’t complied. However, since not all UK organisations are compliant yet, showing a level of awareness of the rule change should be enough to avoid fines. The ICO makes 3 recommendations…

1. Audit your website to find out what cookies you have

2. Inform your visitors about your use of cookies

3. Get Consent for their continued use.

So the first step is to carry out an audit of your website, to obtain the information that shows that you are at least aware of the legislation and will take measures to rectify any issues. Following your audit there are two options to consider depending on how close you wish to interpret the regulations:

1) Strict Opt-in

This assumes that the visitor does not want cookies enabled on the site. When a visitor lands on a site a small message appears alerting them that they will not experience a fully functioning website due to cookies being ‘BLOCKED’. They have the option to find out more and then ‘ALLOW’ cookies if they wish. See www.principalinvestment.co.uk for an example of strict opt-in consent.

2) Implied Consent

This assumes that the visitor wants cookies. When a visitor lands on a site a small message appears alerting them that cookies are being used and offers them a way to find out more. They then have the option to ‘BLOCK’ cookies. See www.bt.com for an example of implied consent.

At this time of writing the Implied Consent approach is regarded as a ‘grey area’ and is under review by the ICO. However we are recommending to adopt this approach as it assumes everything is fine unless a user decides otherwise. This will ultimately have less impact on your website and your business. If you are in any doubt, ask a solicitor to run through the guidelines for you, or request a web audit from your web agency.

What’s the worst that can happen?

Websites that fail to comply risk a civil penalty of up to £500,000 per cookie! While this will be very difficult to enforce, it’s still best to err on the side of caution.

The message is: ‘Be open and honest with your users about the cookies on your site.’